将CORS标头添加到j_security_check的响应中 [英] Add CORS headers to response of j_security_check
问题描述
我正在使用jax-rs和 WildFly 10 构建 REST API 。一些端点是安全的。我正在使用基于 FORM 的身份验证。
I'm building a REST API with jax-rs and WildFly 10. Some of the endpoints are secured. I'm using FORM based authentication.
在我的javascript代码中,我检查了 AJAX的响应请求,如果设置为 401 Unauthorized ,我会向用户提供登录表单。当他填写时,我将详细信息发布到 j_security_check 。
In my javascript code, I check the response of the AJAX request, and if it is set to 401 Unauthorized, I then present a login form to the user. When he fills it in, I POST the details to j_security_check.
在 localhost上运行这一切都运行正常,但是当网络服务器和REST服务器在不同的机器上时,浏览器会因跨域问题而拒绝AJAX请求。
Running on localhost this all works fine, but when the webserver and the REST server are on different machines, the browser denies the AJAX request due to cross-origin issues.
我理解CORS,所以我在我的REST服务器中添加了一个CORS过滤器,为GUI服务器设置CORS头。一切正常,除了一个小而重要的细节:登录成功后,CORS过滤器不会触发 j_security_check 响应。没有添加CORS标题,浏览器无法读取响应。
I understand CORS, so I added a CORS filter to my REST server that sets CORS headers for the GUI server. It all works fine, except for one small, but important detail: after the login has succeeded, the CORS filter does not fire for the j_security_check response. No CORS headers are added and the browser can not read the response.
除了这一个细节,我整个设置的工作方式与我想要的完全一样....但是我一整晚都在努力解决这个细节问题,我无法让它发挥作用。
Apart from this one detail I have the whole setup working exactly like I want it.... But I have been struggling with this detail all night and I just can't get it to work.
我知道尝试过滤存在问题j_security_check ,但我知道没有其他方法可以添加CORS标题...所以我的问题是:
I understand there are issues with trying to filter j_security_check, but I know of no other ways to add CORS headers... So my question is:
如何添加CORS标题为 j_security_check 的响应?
How do I add CORS headers to the response for j_security_check?
推荐答案
在 standalone.xml中配置 / 下载子系统 domain.xml 文件为我解决了这个问题。在那里配置的过滤器处理所有请求,包括 j_security_check 一个。
Configuring undertow subsystem in standalone.xml/domain.xml file solved this problem for me. Filters configured there handle all the requests including j_security_check one.
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" redirect-socket="https" socket-binding="http"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
<!--CORS headers -->
<filter-ref name="Access-Control-Allow-Origin"/>
<filter-ref name="Access-Control-Allow-Methods"/>
<filter-ref name="Access-Control-Allow-Headers"/>
<filter-ref name="Access-Control-Allow-Credentials"/>
<filter-ref name="Access-Control-Max-Age"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-value="WildFly/10" header-name="Server"/>
<response-header name="x-powered-by-header" header-value="Undertow/1" header-name="X-Powered-By"/>
<!-- CORS headers -->
<response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/>
<response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="OPTIONS, GET, POST, PUT, DELETE"/>
<response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/>
<response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/>
<response-header name="Access-Control-Max-Age" header-name="Access-Control-Max-Age" header-value="60"/>
</filters>
</subsystem>
当然你最好更换* GUI服务器的URL中的通配符 Access-Control-Allow-Origin 标头的value属性。
Of course you'd better replace "*" wildcard by your GUI server's url in the Access-Control-Allow-Origin header's value attribute.
这篇关于将CORS标头添加到j_security_check的响应中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
